Seven international hackers have been charged by the Justice Department with infecting more than four million computers, including 500,000 in the United States, with malware that redirected users through rogue domain name service (DNS) servers controlled by the hackers, netting the suspects at least $14 million in illegal profits, according to an announcement from the FBI late Wednesday. NASA computers were among those infected with the malware, the FBI noted.
The malware preyed on users’ implicit trust of such well known websites as Google, Amazon, Apple, Netflix, ESPN, The Wall Street Journal and the IRS, either taking them away from these websites when they tried to visit and redirecting them to other websites or replacing advertisements on those websites, both of which paid the hackers for click-throughs and views.
The subsequent investigation and bust was codenamed “Operation Ghost Click,” according to Sophos cybersecurity blog Naked Security.
Six of the suspects were arrested in their home country of Estonia by the Estonian Police and Border Guard Board, but the U.S. is seeking to extradite them to face prosecution on American soil. One of the suspects, a Russian, Andrey Taame, 31, is still on the loose, according to the FBI. All of the suspects are facing five counts of computer crime and wire fraud, and one, Vladimir Tsastsin, 31, faces an additional 22 counts of money laundering. The wire fraud charges alone for each of the men carry a maximum penalty of 30 years.
Investigators also “seized computers at various locations, froze the defendants’ financial accounts, and disabled their network of U.S.-based computers–including dozens of rogue DNS servers located in New York and Chicago,” the FBI said. In order to prevent infected computers from losing all Internet access, legitimate DNS have been set up by a nonprofit.
And while government officials praised the success of the collaborative efforts of national and international law enforcement agencies in uncovering the alleged scheme and arresting (most) of the suspected hackers, they acknowledge that there are many more Internet fraud efforts going on around the globe.
“The international cyber threat is perhaps the most significant challenge faced by law enforcement and national security agencies today, and this case is just perhaps the tip of the Internet iceberg,” said Manhattan U.S. attorney Preet Bharara in the FBI’s announcement.
The 43-page indictment also describes in some detail just how the Internet fraud scheme worked. The hackers primarily used two different strains of DNS-changer malware to alter the domain name system (DNS) settings on users’ computers, so that when users attempted to visit specific websites, they were instead rerouted through rogue DNS servers under the hackers control and then onto different websites and advertisements that paid the hackers, under the impression that they were operators of legitimate advertisement companies. This scheme was conducted over at least a four-year period, from 2007 to October 2011, according to the Justice Department.
One method, the “click hijacking” malware, redirected users attempting to search on Google and Yahoo for legitimate websites such as Apple’s iTunes, Netflix and the IRS. When a user searched, they were either presented with phony search results created by the hackers or the actual search results pages containing the actual links to those websites. In either case, when they clicked on these links, the malware instead took users to entirely different websites that the hackers struck agreements with to earn revenue for directing traffic. In the case of the IRS website, the malware redirected websites to H&R Block, for which the hackers earned money for redirecting traffic.
The indictment notes that the hackers redirected users away from Google’s and Yahoo’s “Sponsored Links,” as well, depriving Google of revenue.
The “advertising replacement fraud” method was perhaps even more insidious. In this case, the malware replaced only the advertisements on legitimate websites with different advertisements for companies that the hackers had struck agreements with, which paid the hackers for views.
The indictment cites an example wherein a legitimate American Express ad on The Wall Street Journal homepage on May 31, 3010, was replaced on infected users’ computers with an advertisement for “Fashion Girl LA.” Also, the government describes casse wherein infected computers replaced an ad on Amazon.com for Microsoft Windows 8 with one for an email marketing business and an ad on the ESPN website for “Dr. Pepper Ten,” with one for a timeshare.
The government also points out that in order to make the scheme work, the hackers used rogue DNS servers in New York and Chicago. The malware also blocked users’ machines from installing new antivirus and malware-detection software and updates.
The FBI has put out guidance, explaining how Mac and Windows users can check if their computers are infected and what to do about the malware.
However, as Sophos Naked Security blog notes, ” if your DNS server is inside one of these ranges, you aren’t necessarily infected; if your DNS server is outside these ranges, you aren’t necessarily clean; resetting your DNS server if it’s wrong won’t fix the malware problem which changed it in the first place; and the DNS Changer malware family referred to in the FBI’s article is just one of many thousands of malware families, each consisting of many thousands of samples.” Sophos recommends checking with your ISP or IT help desk.
Another area where the government falls short is explaining just how users became infected in the first place, saying only “Victims’ computers became infected with the malware when they visited certain websites or downloaded certain software to view videos online.” The government hasn’t yet specified precisely which “certain websites” or video software installed the malware. TPM has reached out to the Justice Department for further information and will update when we receive a response.
The investigation itself didn’t start until two years ago, when NASA discovered the malware on more than 100 computers, according to NASA Inspector General Paul Martin, Bloomberg reported. Martin also said that NASA had yet to find any evidence that “affected operations or compromised its scientific research,” according to Bloomberg.
Still, the admission is an eyebrow raiser given NASA’s recent admission in October that it suffered two “suspicious events” with one of its satellites named earlier in a Congressional advisory panel report draft that alleges someone hacked that satellite and another U.S. government satellite from the ground, possibly following Chinese military writings.
There’s nothing yet connecting this malware fraud case and the other NASA satellite hacking reports, but TPM has reached out to NASA for more information and will update when we receive a response. In any case, both cases are worrisome indicators of NASA’s overall cybersecurity.
Correction: This post’s headline originally incorrectly identified the amount earned by the fraudsters as “$14B” instead of “$14M.” We’ve since corrected the information. We regret the error.
